QUICK LINKS

SHARE THIS PAGE

You are here

NANOG Meeting Presentation Abstract

SENSS: Security Service for the Internet

Meeting:

NANOG64

Date / Time:

2015-06-01 1:00pm - 1:30pm

Room:

Grand Ballroom

Presenters:

Speakers:

Jelena Mirkovic, USC/ISI

Jelena Mirkovic is Project Leader at USC/ISI and research faculty at USC. She received her MS and PhD from UCLA. She received BS in Computer Science and Engineering from School of Electrical Engineering, University of Belgrade, Serbia. Jelena's research interests span networking and security fields. Her current research is focused on malware analysis, denial-of-service attacks, and IP spoofing. Additionally, she is interested in methodologies for conducting security experiments and Internet measurement. Minlan Yu.Ying Zhang.Abdulla Alwabel.

Abstract:

Distributed network attacks, such as DDoS and BGP prefix hijacking can severely hurt online businesses and disrupt critical infrastructure services. The main challenge in handling such attacks is their distributed nature: the best locations to diagnose and mitigate them are often far from the victim's network.
Today's Internet has no automated mechanism for victims to ask help of remote ISPs, and has low incentives for remote ISPs to offer such services. Consequently, prefix hijacking attacks go largely unmitigated, and victims of DDoS attacks pay exorbitant prices to large CDNs to distribute their contents and thus sustain the attacks.

We propose SENSS, a programmable security service for the Internet. SENSS brings simple and generic programmable interfaces from SDN to inter-AS security. These interfaces can be easily implemented in today's ISPs; victims use them to observe and control their own traffic and routes in remote ISPs, and pay per use. We show how victims can leverage these simple interfaces to design solutions against many attacks. We provide six such custom programs that handle a variety of DDoS and BGP prefix hijacking attacks, many of which are not handled today. We evaluate SENSS through extensive simulations and prototype implementation, using realistic traffic and Internet topology, and show that it is very effective in sparse deployment (with adoption in 20 large ISPs, SENSS can eliminate 80-96\% DDoS attack traffic and correct 92--99\% of polluted ASes for BGP prefix hijacking), and it has low message overhead and delay.

Research and Education TrackSpeakers:Michael Sinatra, ESnet; Julie Percival, University of Texas at Dallas; Michael Smitasin, Lawrence Berkeley National Laboratory; Murat Yuksel, University of Nevada, Reno;

Research and Education TrackSpeakers:Michael Sinatra, ESnet; Julie Percival, University of Texas at Dallas; Michael Smitasin, Lawrence Berkeley National Laboratory; Murat Yuksel, University of Nevada, Reno;

Research and Education TrackSpeakers:Michael Sinatra, ESnet; Julie Percival, University of Texas at Dallas; Michael Smitasin, Lawrence Berkeley National Laboratory; Murat Yuksel, University of Nevada, Reno;

Research and Education TrackSpeakers:Michael Sinatra, ESnet; Julie Percival, University of Texas at Dallas; Michael Smitasin, Lawrence Berkeley National Laboratory; Murat Yuksel, University of Nevada, Reno;